Over the next few days we’ll all be writing about the BlueHat sessions… Today I’m excited to have a chance to tell you more about the Exploiting Web Applications presentation made by Caleb Sima, CTO and co-founder of SPI Dynamics at BlueHat 3 on March 9th. (Listen to a podcast interview with Caleb here.)
So you've installed all the latest patches, no one opened any malicious attachments, you've got all the right ports shut down, you've got your firewall, anti-virus software and IDS all running and up to date - and you still got hacked. How did it happen?
This presentation walked the audience through a real penetration test of a bank, and showed our engineers just how the hack happens. I’ll be honest, this was a somewhat unusual talk for us to have at BlueHat - it wasn’t about vulnerabilities in a Microsoft product specifically - in fact the demonstration Caleb walked through wasn’t even Microsoft technology based. But seeing how a malicious hacker can use techniques like SQL injection and blind SQL injection to extract your entire database regardless of what vendor’s software you are using was pretty cool. It isn't every day that you get a glimpse into how malicious hackers find vulnerabilities to access data through web applications, and what can be done to better defend that data.
Caleb is a very engaging speaker and the insight he shared on the methodology a web application hacker uses to approach a target was educational and entertaining. He not only demonstrated the basic premise of these techniques and how to manually execute them, but how they can be easily automated with tools – the hacker can go do dinner and come back to a nice report of results. But not only is the exploit is automated, the research to find an attack target can also be automated! In the next part of the presentation Caleb showed how using common search engines a hacker can identify tens of thousands of vulnerable targets (and even narrow those target searches down to the most interesting domains) in just a few minutes.
All data is valuable; the risk of having your web application broken into is not just credit card fraud or identity theft of your customers. There are also real life examples of one business putting a competitor out of business by accessing customer lists, pricing plans, and design schematics to give them an edge.
So how do you protect your data? It isn’t enough to just limit the amount of information in your error messages that may give hackers a roadmap into your database – that doesn’t protect you against blind SQL injection attacks. The majority of web application attacks can be solved by input validation!
Unfortunately, time ran out before Caleb had a chance to get to his last segment – some very early research he is doing on how a hacker could manipulate search engine results to push their website further up in the rankings. The audience (close to 700 engineers) was audibly disappointed, so Caleb offered to come back at the end of the day and present another 20 minutes to cover this topic. And at the end of a full conference day, everyone in the audience stayed late to see this additional content.
And I’ve got to take a moment to thank Caleb for his sporting sense of humor – without warning him, I arranged to air The Code Room – Breaking Into Vegas to the audience over lunch, a couple hours before his BlueHat presentation. This is an educational and entertaining 30 minute video about a casino being hacked through their web application, so it was a perfect addition to the Thursday BlueHat agenda focusing on database and web application security. Why would I have warned Caleb? You won’t find it on imdb, but Caleb is one of the actors in the video, along with several other security luminaries like John Viega, Joel Scambray, and Frank Swiderski. Thanks guys. J
Next talk review coming to the blog… Current Database Vulnerability Research by David Litchfield